Gergana Virus

Virus Name: Gergana Aliases: Gergana II, Gergana III, Gergana IV, Gergana-222, Gergana-300, Gergana-450, Gergana-512, Gergana-182B V Status: Rare Discovered: May, 1991 Symptoms: .COM file growth; file date/time changes Origin: Europe Eff Length: 182 Bytes Type Code: PNCK - Parasitic Non-Resident .COM Infector Detection Method: ViruScan, AVTK, F-Prot, Sweep, NAV, IBMAV, NAVDX, VAlert, PCScan, ChAV, NShld, LProt, Sweep/N, Innoc, NProt, AVTK/N, NAV/N, IBMAV/N Removal Instructions: Delete infected files General Comments: The Gergana Virus was received in May, 1991. It is from Europe. Gergana is a direct action non-resident infector of .COM programs, including COMMAND.COM. When a program infected with Gergana is executed, Gergana will infect the first .COM program in the current directory. If this program was previously infected with Gergana, it will be reinfected. The virus will then search the currect drive and directory for an uninfected .COM program to infect. Once one is located, the virus will infect it, increasing the file's length by 182 bytes. The virus will be located at the end of the infected program. The program's date and time in the disk directory will also be updated to the current system date and time of infection. Gergana may also reinfect the .COM programs in the current directory once all .COM programs in the directory have been infected. These reinfections appear to be a bug within the virus. Gergana does not do anything besides replicate. Known variant(s) of Gergana are: Gergana-182B: Based on the original 182 byte Gergana variant, this variant has one byte which differs. It does not reinfect previously infected files. Received: January, 1992 Origin: Unknown Gergana-222: A 222 byte variant of Gergana, this variant does not reinfect .COM files. Like Gergana, infected files will have had their date and time changed to the system date and time when infection occurred. It will not infect very small files. The following text strings can be found in infected files: "Gergana II -BUL3" and "*.COM". The virus will be located at the beginning of infected files. Received: November, 1991 Origin: Unknown Gergana-300: A 300 byte variant of Gergana, programs infected with this variant will not have had their file date and time updated in the DOS disk directory. It will not infect very small .COM files. The following text strings can be found in infected files: "Gergana /", "III", and "*.COM". The virus will be located at the beginning of infected files. Received: November, 1991 Origin: Unknown Gergana-450: A 450 byte variant of Gergana, this variant is functionally similar to Gergana-300. It will also be located at the beginning of infected files. Text strings found in infected programs are: "*.COM", "GERGANA", "-IV Free", and "This file is infected. Press [Enter] to continue." Received: November, 1991 Origin: Unknown Gergana-512: A 512 byte variant of Gergana, this variant will infect two .COM files (but not COMMAND.COM) located in the current directory. Infected files will increase in size by 512 bytes with the virus being located at the beginning of the file. There will be no change in the file's date and time in a DOS disk directory listing. The following text strings can be found in infected programs: "Gergana V" "For nice time call [359][032] 557-643." "[Enter] to continue." Typically, infected .COM programs will fail to execute properly, displaying random characters from memory when they are executed.